We brought in GitGuardian Internal Monitoring to review all of our code within GitHub so that we can identify and fix any exposed secrets.
I have been very impressed with the breadth of its detection capabilities. I did a proof of concept with a couple of other common tools for the same kind of thing, and I found GitGuardian to be the best. It finds everything that I would expect it to find. It found more than I thought we would find, so I am very happy with the detection.
I am very happy with the number of specific detectors and keys that it can find for Google, AWS, Twitter, Facebook, etc. It has a lot of specific detectors for different categories, but it also has quite a lot of automatic validity checking, so it can tell whether your Twitter keys or AWS keys are active and or have been revoked. If they are revoked, it is not a problem. Validity checking is fantastic.
GitGuardian Platform's accuracy is incredibly high. There are a couple of categories of generic secrets that I can find. When you turn those on, you end up with quite a few false positives. With the specific detection categories, the false positive rate is incredibly low, but when you turn on the generic categories, it goes up a bit. I am very happy with the number of things that it does find, instead of focusing on true positives versus false positives.
It has not helped to decrease false positives because we did not have a tool in the first place, so we did not have any false positives. We have not decreased our rate at all.
GitGuardian Platform has absolutely helped to quickly prioritize remediation. The severity or criticality that the tool automatically assigns has been very helpful. The built-in validity checking has also been helpful. Whenever you have keys that are marked as valid within the tool, you know that they are high priority and need to be resolved sooner than the ones that are not marked as valid.
We have significantly reduced our potential risk exposure of secrets. In the past nine months, by using GitGuardian, we have been able to identify and resolve a large number of secrets within our code, which reduces the risk if our code were to become public. It has greatly reduced our security risk. It has reduced the potential risk of exposure of secrets by about 75%. We have not only been able to resolve existing issues; we are also more likely to prevent these issues from occurring with improved security culture and the features within the tool.
GitGuardian Platform efficiently supports our shift-left strategy. It provides a command line interface, which can link with the shift left with your standard development processes. Whenever developers are writing code and trying to commit and push that up to GitHub, the command line interface can be integrated into that to prevent secrets from getting into GitHub. It can help go almost as far left as possible.
GitGuardian Platform has greatly improved awareness, and it has reduced the number of secrets that end up in our code. There has been a two-layer impact where it has helped people think about this as an issue and it has also helped them stop doing it even if they are not thinking about it.
GitGuardian Platform has improved our ability to collaborate. We work closely with the development teams to identify the issues, investigate the issues, and troubleshoot and resolve those issues. Due to the way the tool works, it has helped us gather people into teams and work with them so that we can help resolve the findings.
We have one or two of the playbooks automatically enabled. So far, I find them very helpful. The main one so far is that the secrets will automatically resolve when they are revoked, which is incredibly useful. For example, whenever someone goes into the AWS platform to revoke AWS keys, they do not have to go into GitGuardian. It automatically detects that they have been revoked and closes the issue. It is a lot less work than having to go into two different tools and more. There are a couple of playbooks we have for the CLI, so whenever we ignore issues via CLI because something might be a false positive or something might only be a testing key, it will auto-resolve within the UI. The playbooks make it easier to avoid using the UI, but you do not have to. It is one of the catch-22 situations. There is UI, but they are enabling you to not even have to check it in the first place. Playbooks have reduced 50% to 60% of manual work. If developers accidentally commit active keys, they do not have to go in. They do what they need to do to resolve the keys. They do not need to think about it again.
GitGuardian Platform has increased our security team's productivity by about 50%. When we previously had noticed keys, it would have been manual. It would only have been occasionally when I was looking through the code and found the keys. I would have had to reach out to developers and discuss that. It has definitely greatly increased our productivity because we can now automate sending out tickets and assigning them to the right teams. A couple of clicks can send out the information for someone to look into rather than having to message them and try to discuss it with their team. It is a lot more automated.
It is hard to measure the increase in secrets detection rate because previously, we did not have any solution, so we were not detecting anything. After implementing GitGuardian, we can now see what we have got.
Similarly, it is hard to measure the reduction in the mean time to remediation as we did not have something before. It was more manual before. There is probably a 70% reduction because, previously, if I found an issue, I would reach out to our team and spend a while discussing it with them, whereas now, we can just send out a Jira ticket. They can log in and have a look. There is a lot less discussion back and forth.